tag:blogger.com,1999:blog-71141318914133781.post4320914776947003408..comments2018-12-19T09:07:22.999+13:00Comments on Eyes Above The Waves: Confession Of A C/C++ ProgrammerRoberthttp://www.blogger.com/profile/01801341049800948737noreply@blogger.comBlogger61125tag:blogger.com,1999:blog-71141318914133781.post-24181938149455531972017-08-01T11:52:33.377+12:002017-08-01T11:52:33.377+12:00I&#39;m not the one who did the fuzzing, but basic...I&#39;m not the one who did the fuzzing, but basically you&#39;re 100% right. Until your code has been attacked, you don&#39;t know how good it is/how good you are.Roberthttps://www.blogger.com/profile/01801341049800948737noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-56024550360257700552017-08-01T04:35:19.837+12:002017-08-01T04:35:19.837+12:00Am I the only person here who noticed that half th...Am I the only person here who noticed that half the replies miss a key point in Robert&#39;s post: he knows the bugs are there because he runs a fuzz-test on his code. <br /><br />I cannot see a single one of those confident assertions about Rust and D (and other respondents&#39; answers about their own careful coding) backed up with &quot;I am confident that I am right because I always fuzzed it / subjected it to an internal security review / put it up online with a hundred-dollar bug bounty&quot;. <br /><br />You&#39;re probably not that good. And you will only ever know that you are, for real, unless and until you are constantly and consistently and thoroughly checking that you are. <br /><br />Robert&#39;s doing the testing and he knows exactly how good he is: step up to the plate, ladies, gentlemen and others, and tell us how good you *know* yourself and your toolkit to be. <br /><br />I will start the ball rolling: I have never written any nontrivial code that passed a fuzz-test without one or more nontrivial errors. More than one of them has caused consternation among colleagues who admitted, quite freely, that they would not have picked them up in peer review. Nigel Heffernanhttps://www.blogger.com/profile/08954578765691578714noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-90893197870202821142017-07-21T18:46:26.321+12:002017-07-21T18:46:26.321+12:00It&#39;s very easy with smart pointers, really. E....It&#39;s very easy with smart pointers, really. E.g.:<br /><br />#include <br />#include <br />using namespace std;<br />int main(void) {<br /> unique_ptr p = make_unique(3);<br /> const int&amp; v = *p;<br /> p = nullptr;<br /> cout &lt;&lt; v;<br /> return 0;<br />}<br /><br />Obviously the problem is references. But avoiding the use of references in &quot;modern C++&quot; isn&#39;t really an option.Roberthttps://www.blogger.com/profile/01801341049800948737noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-86422291562347142062017-07-21T18:36:46.014+12:002017-07-21T18:36:46.014+12:00+PatrickWalton &quot;use after free is so easy wit...+PatrickWalton &quot;use after free is so easy with smart pointers&quot; No, it is actually the exact opposite.Chris G.https://www.blogger.com/profile/12917511425980113083noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-9139604956160570552017-07-21T04:05:03.223+12:002017-07-21T04:05:03.223+12:00I know C quite well but it&#39;s not &quot;safe&qu...I know C quite well but it&#39;s not &quot;safe&quot; thing. It&#39;s to some extend always a beast in disguis and sooner or later you&#39;ll be bitten. And Alex is right some language simply are built up to be safer. But you build bugs with any language ;-)FDominicushttps://www.blogger.com/profile/16626953518570086182noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-42872041156282509132017-07-21T04:03:08.428+12:002017-07-21T04:03:08.428+12:00Strange enough I do like D but have a special disl...Strange enough I do like D but have a special dislike for C++. I simply do not like to read code in it. I probably get along but I&#39;ve learned OO with a better simpler OO Language and yes D is but one C with Classes. Objective-C is IMHO wonderful, look into GTK and you have a OO in &quot;plain&quot; C with all the strange things. And of course C# and Java are all influenced (syntacitcal ) by C. <br /><br />Despiete all the shortcomings I do think any programmer should know C. YMMV that&#39;s clearFDominicushttps://www.blogger.com/profile/16626953518570086182noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-78083791266273209292017-07-21T03:56:40.873+12:002017-07-21T03:56:40.873+12:00That&#39;s what I meant with tools. There are zill...That&#39;s what I meant with tools. There are zillion of malloc replacements, there are type annotation and there is also valgind, and tons of other stuff. It can improve on the problem but they simply do not vanish. Anyway if you look around and see computers running for years or maybe decaded, I&#39;d say C stand pretty well with quite reliable software. And I guess if we just dropped C for any Database development, 90 % of them were gone even the biggest ones. So yes C is great and C is dangerous ;-)FDominicushttps://www.blogger.com/profile/16626953518570086182noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-68502563281628930422017-07-20T19:12:32.361+12:002017-07-20T19:12:32.361+12:00John Regehr has a _very_ detailed rebuttal of this...John Regehr has a _very_ detailed rebuttal of this kind of thinking: https://blog.regehr.org/archives/1520Alex Elsayedhttps://www.blogger.com/profile/04965021603241785796noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-6173060308774430922017-07-20T19:07:17.729+12:002017-07-20T19:07:17.729+12:00Yes; some languages are _actually_ safe. This gene...Yes; some languages are _actually_ safe. This generally requires being based on a well-defined formalism, rather than grown organically.<br /><br />As an example, consider _any_ prover language (such as Coq, or Lean, etc) - if they were _not_ safe, then one could construct invalid proofs, making them quite useless.<br /><br />More generally, any language with a sufficiently strong type system and which enforces type-safety and memory-safety has a _very_ strong claim to being _actually_ safe.Alex Elsayedhttps://www.blogger.com/profile/04965021603241785796noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-86379042648598325342017-07-20T19:01:48.460+12:002017-07-20T19:01:48.460+12:00Returning a reference to a local variable, and the...Returning a reference to a local variable, and then using it, is perfectly valid C++ without the &quot;C part&quot;, and is just as wildly unsafe.Alex Elsayedhttps://www.blogger.com/profile/04965021603241785796noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-46541601627825256002017-07-20T01:44:50.361+12:002017-07-20T01:44:50.361+12:00brilliant, well said...brilliant, well said...David Fordhttps://www.blogger.com/profile/04655793905891858618noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-79929550102221368102017-07-19T04:18:34.962+12:002017-07-19T04:18:34.962+12:00&gt; I mean why would you use pthread, pointers as...&gt; I mean why would you use pthread, pointers as arrays, etc. in 2017<br /><br />I could have said 2010 or 2003 for what it&#39;s worth. At this time boost already had boost::thread and boost::shared_ptr / boost::intrusive_ptr.Doom Ooseventhhttps://www.blogger.com/profile/08812224771653918092noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-705577024568083872017-07-19T01:58:58.897+12:002017-07-19T01:58:58.897+12:00Dear &quot;unknown&quot;,
I find your comment abo...Dear &quot;unknown&quot;,<br /><br />I find your comment about retirement inappropriate. It&#39;s fine to disagree with O&#39;Callahan&#39;s position or to doubt his skills, but you could have formulated your view in a mature and constructive way.<br /><br />I think that practicing programmers with O&#39;Callahan&#39;s profound understanding of programming, programming languages, and runtime systems are very rare. I don&#39;t really know him well, but I met him at IBM Research over a decade ago. To me, his work and his expertise was impressive already then.<br /><br />IMHO, a comment like yours would be inappropriate even if it came from Bjarne Stroustrup himself.<br /><br />-Matthias HauswirthMatthias Hauswirthhttps://www.blogger.com/profile/03857830560628173386noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-42472084539472824092017-07-19T01:50:24.444+12:002017-07-19T01:50:24.444+12:00basically neither Rust nor Ada add much on top of ...basically neither Rust nor Ada add much on top of C++&amp;static analyzer IMHOroot@boyhttps://www.blogger.com/profile/01451646330176713157noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-13317808232540448942017-07-19T01:48:58.087+12:002017-07-19T01:48:58.087+12:00Rust is a C competitor, as is C++ :DRust is a C competitor, as is C++ :Droot@boyhttps://www.blogger.com/profile/01451646330176713157noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-52644685884562692352017-07-19T01:47:01.490+12:002017-07-19T01:47:01.490+12:00show me any code ... :Dshow me any code ... :Droot@boyhttps://www.blogger.com/profile/01451646330176713157noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-67919544041931320142017-07-19T01:46:42.833+12:002017-07-19T01:46:42.833+12:00same hold for C++ (as Java/Go) if you avoid the C ...same hold for C++ (as Java/Go) if you avoid the C part :D<br /><br />also no CVE for Java :D<br />write once debug everywhere :D<br />root@boyhttps://www.blogger.com/profile/01451646330176713157noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-31999567069076119242017-07-19T01:45:12.846+12:002017-07-19T01:45:12.846+12:00smart pointers, YES THEY DO!smart pointers, YES THEY DO!root@boyhttps://www.blogger.com/profile/01451646330176713157noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-53901660312896983202017-07-19T01:43:20.144+12:002017-07-19T01:43:20.144+12:00+KevinDoyon
this is the actual Gotw91:
&quot;
Gu...+KevinDoyon<br /><br />this is the actual Gotw91:<br /><br />&quot;<br />Guideline: Use a non-const shared_ptr&amp; parameter only to modify the shared_ptr. Use a const shared_ptr&amp; as a parameter only if you’re not sure whether or not you’ll take a copy and share ownership; otherwise use widget* instead (or if not nullable, a widget&amp;).<br />&quot;<br /><br />so I rather say prefer smart pointers and only when performance matter use point/refroot@boyhttps://www.blogger.com/profile/01451646330176713157noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-46920272968879546562017-07-19T01:14:55.982+12:002017-07-19T01:14:55.982+12:00Rust safety is the *top* feature. It is the thing ...Rust safety is the *top* feature. It is the thing that defines it as doing better than C++ in an objective way. You have pattern matching many other things, but nothing that cannot get close in C++ with variants and other stuff. Pattern matching alone will not sell a language, even if it is very nice. On the systems side: constexpr and generic programming are strictly more powerful in C++. I was disappointed about the generic programming in Rust. Yes, it has traits, they are nice. And type checking. But still, there are the variadics problem as of now, which leads to code explosion. I also recall there was no partial specialization but not sure if they fixed it, there was some discussion some time ago.Germán Diagohttps://www.blogger.com/profile/02534452758713326343noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-90296050964362282562017-07-19T01:14:14.391+12:002017-07-19T01:14:14.391+12:00This comment has been removed by the author.Владимир Медведевhttps://www.blogger.com/profile/10255817118790276057noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-59741025636220205492017-07-18T19:17:59.707+12:002017-07-18T19:17:59.707+12:00In the &#39;80s the UK MoD decided formal methods ...In the &#39;80s the UK MoD decided formal methods were too expensive. They went with strongly-typed Ada.<br /><br />Wikipedia lists what still has to be checked: <br /><br />&quot;Ada also supports run-time checks to protect against access to unallocated memory, buffer overflow errors, range violations, off-by-one errors, array access errors, and other detectable bugs. These checks can be disabled in the interest of runtime efficiency, but can often be compiled efficiently.&quot;<br /><br />Functional programmers know why the NSA&#39;s Trusted Systems Research Group had their cryptography design software https://github.com/GaloisInc/cryptol written in Haskell: pure and can therefore use SMT solvers, such as Yices, Z3, or CVC4, to prove predicates for all possible inputs.Jim Stuttardhttps://www.blogger.com/profile/05232814773858285065noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-73861388917878233412017-07-18T18:55:24.359+12:002017-07-18T18:55:24.359+12:00Yup, when I&#39;ve pointed out the problems with t...Yup, when I&#39;ve pointed out the problems with these languages to people, I&#39;ve had people commenting saying they don&#39;t make those mistakes in a very arrogant way, my immediate thought is that they&#39;re idiots.<br /><br />Try Ada 2012.Lucretia9https://www.blogger.com/profile/12266346493096832604noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-52234725239986515482017-07-18T17:04:30.497+12:002017-07-18T17:04:30.497+12:00Depends on the task, but mostly if I get to choose...Depends on the task, but mostly if I get to choose the language I&#39;d choose Rust over C++.Roberthttps://www.blogger.com/profile/01801341049800948737noreply@blogger.comtag:blogger.com,1999:blog-71141318914133781.post-84111368035553401862017-07-18T16:19:31.568+12:002017-07-18T16:19:31.568+12:00Rob, if you could use another language what would ...Rob, if you could use another language what would you use instead?craiganslowhttps://www.blogger.com/profile/03771242613949829205noreply@blogger.com